File name:

rustdesk-1.3.2-x86_64.exe

Full analysis: https://app.any.run/tasks/b6b50028-0d09-4bd7-8612-7002eea8f68f
Verdict: Malicious activity
Analysis date: November 13, 2024, 18:35:49
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
remote
rustdesk
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

AA6D18E1405A0BE5EFF04D419F9C6BBE

SHA1:

30ED558A8804B5F826A3CA4A1C2212DE58E6030A

SHA256:

465E3CC0BEFA33EF54DB3819D224E19CFFE684CFE687C76B43352F5BB9C2D87E

SSDEEP:

98304:0/NGp8rTDkqbevv6xCxzF7cAXMosAiUtFk18G0MJ6GJEe7vhVU2ZNTWLYoYeTjR+:dZNWIHhNyt7VHfhQKZtWS4v1mofMYZzy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • rustdesk-1.3.2-x86_64.exe (PID: 2648)
      • rustdesk.exe (PID: 7120)
      • rustdesk.exe (PID: 824)
      • rustdesk.exe (PID: 6368)
      • rustdesk.exe (PID: 3524)
      • rustdesk.exe (PID: 6960)
      • rustdesk.exe (PID: 4556)
      • rustdesk.exe (PID: 4476)
      • rustdesk.exe (PID: 3604)
      • rustdesk.exe (PID: 1332)
      • rustdesk.exe (PID: 5564)

    • Create files in the Startup directory

      • cmd.exe (PID: 1112)

  • SUSPICIOUS

    • Uses TASKKILL.EXE to kill process

      • rustdesk-1.3.2-x86_64.exe (PID: 2648)
      • cmd.exe (PID: 6204)
      • cmd.exe (PID: 1112)
      • cmd.exe (PID: 6952)

    • Starts CMD.EXE for commands execution

      • rustdesk.exe (PID: 7116)
      • rustdesk.exe (PID: 824)
      • rustdesk.exe (PID: 3604)

    • Process drops legitimate windows executable

      • rustdesk-1.3.2-x86_64.exe (PID: 2648)

    • Executable content was dropped or overwritten

      • rustdesk-1.3.2-x86_64.exe (PID: 2648)
      • xcopy.exe (PID: 5276)

    • Application launched itself

      • rustdesk.exe (PID: 7116)
      • rustdesk.exe (PID: 6960)
      • rustdesk.exe (PID: 3604)

    • The process checks if it is being run in the virtual environment

      • rustdesk.exe (PID: 7116)

    • Reads the date of Windows installation

      • rustdesk.exe (PID: 7116)

    • Connects to unusual port

      • rustdesk.exe (PID: 7116)
      • rustdesk.exe (PID: 3604)

    • Executing commands from a ".bat" file

      • rustdesk.exe (PID: 824)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1112)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 1112)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • cmd.exe (PID: 1112)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1112)

    • Reads the Windows owner or organization settings

      • rustdesk.exe (PID: 7116)

    • The executable file from the user directory is run by the CMD process

      • rustdesk.exe (PID: 3524)
      • rustdesk.exe (PID: 6368)

    • Executes as Windows Service

      • rustdesk.exe (PID: 5564)
      • rustdesk.exe (PID: 6960)

    • The process executes VB scripts

      • cmd.exe (PID: 1112)

    • Runs shell command (SCRIPT)

      • cscript.exe (PID: 6304)
      • cscript.exe (PID: 4040)
      • cscript.exe (PID: 1732)

    • Starts itself from another location

      • rustdesk.exe (PID: 824)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 1712)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • cmd.exe (PID: 1112)

  • INFO

    • Create files in a temporary directory

      • rustdesk-1.3.2-x86_64.exe (PID: 2648)
      • rustdesk.exe (PID: 824)
      • cscript.exe (PID: 1732)
      • cscript.exe (PID: 6304)
      • cscript.exe (PID: 4040)

    • Creates files or folders in the user directory

      • rustdesk-1.3.2-x86_64.exe (PID: 2648)
      • rustdesk.exe (PID: 7116)
      • rustdesk.exe (PID: 7120)
      • rustdesk.exe (PID: 824)
      • rustdesk.exe (PID: 6368)
      • rustdesk.exe (PID: 3524)

    • Checks supported languages

      • rustdesk-1.3.2-x86_64.exe (PID: 2648)
      • rustdesk.exe (PID: 7116)
      • rustdesk.exe (PID: 7120)

    • Reads the computer name

      • rustdesk-1.3.2-x86_64.exe (PID: 2648)
      • rustdesk.exe (PID: 7116)
      • rustdesk.exe (PID: 7120)

    • Reads the machine GUID from the registry

      • rustdesk.exe (PID: 7116)

    • Reads Environment values

      • rustdesk.exe (PID: 7116)

    • Reads product name

      • rustdesk.exe (PID: 7116)

    • Changes the display of characters in the console

      • cmd.exe (PID: 1112)

    • Checks proxy server information

      • rustdesk.exe (PID: 7116)

    • Reads the software policy settings

      • rustdesk.exe (PID: 7116)

    • The process uses the downloaded file

      • rustdesk.exe (PID: 824)

    • Reads Windows Product ID

      • rustdesk.exe (PID: 7116)

    • Creates files in the program directory

      • cmd.exe (PID: 1112)
      • xcopy.exe (PID: 5276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:10:29 02:48:40+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 367616
InitializedDataSize: 21467136
UninitializedDataSize: -
EntryPoint: 0x4ab38
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.3.2.0
ProductVersionNumber: 1.3.2.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: RustDesk
OriginalFileName: rustdesk.exe
LegalCopyright: Copyright © 2024 Purslane Ltd. All rights reserved.
FileVersion: 1.3.2
ProductVersion: 1.3.2
FileDescription: RustDesk Remote Desktop
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
206
Monitored processes
80
Malicious processes
7
Suspicious processes
10

Behavior graph

Click at the process to see the details
start rustdesk-1.3.2-x86_64.exe taskkill.exe no specs conhost.exe no specs rustdesk.exe cmd.exe no specs rustdesk.exe no specs conhost.exe no specs taskkill.exe no specs rustdesk.exe no specs cmd.exe conhost.exe no specs chcp.com no specs sc.exe no specs sc.exe no specs taskkill.exe no specs taskkill.exe no specs reg.exe no specs reg.exe no specs netsh.exe no specs rustdesk.exe no specs reg.exe no specs rustdesk.exe no specs chcp.com no specs xcopy.exe reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cscript.exe no specs cscript.exe no specs cscript.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs rustdesk.exe no specs sc.exe no specs sc.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs netsh.exe no specs netsh.exe no specs sc.exe no specs sc.exe no specs rustdesk.exe no specs rustdesk.exe reg.exe no specs cmd.exe no specs rustdesk.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs rustdesk.exe no specs timeout.exe no specs taskkill.exe no specs rustdesk.exe

Process information

PID
CMD
Path
Indicators
Parent process
616"taskkill" /F /IM RuntimeBroker_rustdesk.exeC:\Windows\System32\taskkill.exerustdesk-1.3.2-x86_64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
616sc stop RustDeskC:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
616timeout /t 2 C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
824"C:\Users\admin\AppData\Local\rustdesk\.\rustdesk.exe" --installC:\Users\admin\AppData\Local\rustdesk\rustdesk.exerustdesk.exe
User:
admin
Company:
Purslane Ltd
Integrity Level:
MEDIUM
Description:
RustDesk Remote Desktop
Exit code:
3221225547
Version:
1.3.2+51
920\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
948\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1112"C:\Windows\System32\cmd.exe" /C C:\Users\admin\AppData\Local\Temp\RustDesk_install.batC:\Windows\System32\cmd.exe
rustdesk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1172reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v BuildDate /t REG_SZ /d "2024-10-29 02:36"C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1332"C:\Program Files\RustDesk\RustDesk.exe"C:\Program Files\RustDesk\rustdesk.exe
cmd.exe
User:
admin
Company:
Purslane Ltd
Integrity Level:
MEDIUM
Description:
RustDesk Remote Desktop
Version:
1.3.2+51
1376reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v DisplayIcon /t REG_SZ /d "C:\Program Files\RustDesk\RustDesk.exe"C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
15 008
Read events
14 991
Write events
17
Delete events
0

Modification events

(PID) Process:(1376) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:DisplayIcon
Value:
C:\Program Files\RustDesk\RustDesk.exe
(PID) Process:(6720) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:DisplayName
Value:
RustDesk
(PID) Process:(6724) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:DisplayVersion
Value:
1.3.2
(PID) Process:(3744) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:Version
Value:
1.3.2
(PID) Process:(1172) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:BuildDate
Value:
2024-10-29 02:36
(PID) Process:(6420) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:InstallLocation
Value:
C:\Program Files\RustDesk
(PID) Process:(4828) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:Publisher
Value:
RustDesk
(PID) Process:(6956) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:VersionMajor
Value:
1
(PID) Process:(7084) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:VersionMinor
Value:
3
(PID) Process:(4692) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk
Operation:writeName:VersionBuild
Value:
2
Executable files
36
Suspicious files
28
Text files
160
Unknown types
9

Dropped files

PID
Process
Filename
Type
2648rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\data\app.so
MD5:
SHA256:
2648rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\Temp\nwgC6D3.tmptext
MD5:90FEB8EDF41C48A02D0320766AFE6A4B
SHA256:70C7A70EEDD5B93E686AA0BC81BBA03D2E35228FF05BCDB3CC1EB3756E569B5C
2648rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\desktop_multi_window_plugin.dllexecutable
MD5:70D34EB15657FBC5B9AF1CE0B1A9CE34
SHA256:7FAC09857289DF417A416F48A520B422707E952F2A8DFFFE7C28E5F47A755943
2648rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\dylib_virtual_display.dllexecutable
MD5:CBE1A04E6EC8FB6C500FF19E1DE3C24D
SHA256:9DD67477F2AD0E4F00903DCE3C024B8B2DA31E13B00240EB33A8CF7A30AECB47
2648rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\WindowInjection.dllexecutable
MD5:D025423CBC33BAA47F4EF63197700CE9
SHA256:1DB481FB0874FF0552262BD836B2FDAB7149E80781F04A8EEC67A51468A3B907
2648rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\flutter_custom_cursor_plugin.dllexecutable
MD5:B52D55F66BDDF10E86133D17885ABBFA
SHA256:EEA74443E302F5F5388F3404EB9544FE8F94D3A503B10A9013954498069E2F76
2648rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\desktop_drop_plugin.dllexecutable
MD5:823B73A4D1B2DC374EAA70A6FBCB6B5B
SHA256:F7DD9527704EDF5CC41863546CAADFE67F48A1C3A1BC103229542B36D8ED9BAF
2648rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\window_size_plugin.dllexecutable
MD5:27FE268CDD6D80A3E900DF14EF7A9BFC
SHA256:97D235E714A415CA9A584434BF07D09EFC698D467AB4A9D62DC4A9BC886F7FC5
2648rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\flutter_gpu_texture_renderer_plugin.dllexecutable
MD5:99B57E645A7D163A82E3F359B934482F
SHA256:04C941BAFC0C9CC8FDB56BEBCA1744FB0B6B4BCDCED905A73CDFD08CBB8D0454
2648rustdesk-1.3.2-x86_64.exeC:\Users\admin\AppData\Local\rustdesk\rustdesk.exeexecutable
MD5:646CDFF6F58E5C48314E91F9A4B2DB53
SHA256:2700477D573A8A81083046B41FF9DD8017B572D540B6D8B35E32EECFCF888598
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
33
DNS requests
11
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6944
svchost.exe
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3396
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
302
140.82.121.4:443
https://github.com/rustdesk/rustdesk/releases/latest
unknown
GET
302
140.82.121.4:443
https://github.com/rustdesk/rustdesk/releases/latest
unknown
GET
200
140.82.121.4:443
https://github.com/rustdesk/rustdesk/releases/tag/1.3.2
unknown
html
192 Kb
shared
POST
204
104.126.37.152:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
GET
200
140.82.121.4:443
https://github.com/rustdesk/rustdesk/releases/tag/1.3.2
unknown
html
192 Kb
shared
POST
204
104.126.37.178:443
https://www.bing.com/threshold/xls.aspx
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3396
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
2.16.241.14:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3396
RUXIMICS.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 2.16.241.14
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
rs-ny.rustdesk.com
  • 209.250.254.15
malicious
github.com
  • 140.82.121.4
shared
www.bing.com
  • 2.23.209.139
  • 2.23.209.158
  • 2.23.209.160
  • 2.23.209.155
  • 2.23.209.150
  • 2.23.209.141
  • 2.23.209.161
  • 2.23.209.149
  • 2.23.209.154
whitelisted
self.events.data.microsoft.com
  • 52.168.112.67
whitelisted

Threats

PID
Process
Class
Message
2172
svchost.exe
Misc activity
ET INFO RustDesk Relay Domain in DNS Lookup
2172
svchost.exe
Misc activity
ET INFO RustDesk Domain in DNS Lookup
2172
svchost.exe
Misc activity
ET INFO RustDesk Domain in DNS Lookup
2172
svchost.exe
Misc activity
ET INFO RustDesk Relay Domain in DNS Lookup
8 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rustdesk-1.3.2-x86_64.exe